Privacy Policy (B2B)

1. About this Policy

This Policy explains what data we collect and process when providing the Service (dashboard, widget, API) and how we protect it.

It applies to Customer representatives/authorized users and to End User data where the Customer deploys the widget on its properties.

2. Roles (B2B)

For Customer account data (e.g., admin email), we typically act as an independent controller.

For End User data processed via the widget/integrations, the Customer typically acts as the controller and we act as a processor on the Customer’s behalf.

If the Customer requires a Data Processing Agreement (DPA), it can request one via our contact email.

3. Data we collect

• Account data: name/username (if used), email, password hash, roles, settings, plan and billing details.

• Conversation data: End User and Customer staff messages, conversation metadata (time, project/widget), and AI-generated outputs.

• Sources and content: URLs/documents connected by the Customer and processed results (e.g., index/snippets) required for answering.

• Technical data: IP address, user-agent, event logs, session identifiers, errors, performance metrics.

• Security data: login events, configuration changes, audit logs (if enabled).

• Cookies and similar technologies (see Section 11).

4. Data sources

Data comes from the Customer (admins/staff), from End Users via the widget, and from Customer-connected sources (e.g., public pages by URL).

The Customer should only connect sources it has rights and lawful basis to use.

5. How we use data

• To provide the Service: assistants, widget operation, generating outputs, storing conversation history, processing sources.

• To secure the Service, prevent abuse, and investigate incidents.

• To support the Customer (ticket handling and diagnostics).

• For analytics and Service improvement (including aggregated metrics).

• To comply with legal obligations (e.g., accounting and lawful requests).

6. Legal basis (GDPR and similar laws)

We process data based on performance of a contract with the Customer, legitimate interests (e.g., security), legal obligations, and/or on the Customer’s instructions as a processor.

Where consent is required by law (e.g., for certain cookies), obtaining and managing consent on the Customer’s website is typically the Customer’s responsibility.

7. Data sharing

• AI model providers: we send requests/context to the selected provider to generate outputs (e.g., OpenAI, Anthropic, etc.).

• Infrastructure and service vendors: hosting, databases, monitoring, email, billing — under contract and, where applicable, as subprocessors.

• Legal requirements: we may disclose data to authorities where legally required.

• Corporate transactions: data may be transferred to a successor in connection with a merger/acquisition, subject to reasonable safeguards.

We do not sell personal data or share it with third parties for their independent marketing purposes.

8. International transfers

Data may be processed in countries other than the Customer’s country (e.g., where model providers or hosting are located).

Where required, we use contractual mechanisms (such as SCCs) and other safeguards.

9. Retention

We retain data as needed to provide the Service, comply with law, and resolve disputes, taking into account the Customer’s settings and plan.

The Customer can request deletion via the interface or support; some data may be retained longer where required by law or to protect legal rights.

10. Security

We implement reasonable safeguards (including encryption in transit, access control, least privilege, and monitoring).

No system is 100% secure; the Customer is also responsible for securing its own systems and correctly configuring the widget.

11. Data subject rights

If you are a Customer representative/employee, you may request access, correction, or deletion by contacting us.

If you are an End User, your requests should typically be handled by the Customer as the controller. We will assist the Customer in fulfilling lawful requests within our technical capabilities.

Depending on jurisdiction, GDPR/UK GDPR or similar rights may apply (access, deletion, restriction, objection, portability).

Requests: mail@riserlabs.io.

12. Cookies and similar technologies

We use cookies/local storage for authentication, security, and core functionality. We may also use technical metrics for diagnostics.

On the Customer’s properties (where the widget is embedded), cookie/consent management is typically controlled by the Customer.

13. Children

The Service is intended for B2B use. The Customer determines its audience and is responsible for lawful processing of minors’ data on its properties.

If you believe a child’s data was submitted via the widget unlawfully, contact the Customer or email us at mail@riserlabs.io.

14. Changes to this Policy

We may update this Policy. The updated version will be published on our website; for material changes we will take reasonable steps to notify.

15. Contact

Questions and requests: mail@riserlabs.io.